(In reply to comment #5)
> IE: semi-random numbers
Playing around with WinDbg, these "semi-random numbers" seems to be addresses. This can probably be used as an address leak to defeat ASLR in IE9. IE10 fixed this and matches the spec.

This information leak is due to MSHTML!CTableCell::get_cellIndex not writing the address provided for the return value that is passed as part of COM calling conventions, which is a stack local variable that happens to be set to the address when the function was called.